[Snort-sigs] SID 510
warchild at ...288...
Fri Feb 15 18:10:23 EST 2002
Hrm, I smell duplicate rules....
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"INFO HP
JetDirect LCD modification attempt"; flags:A+; content:"@PJL RDYMSG
DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245;
reference:arachnids,302; sid:510; rev:3;)
An attempt to change the message on the LCD display on a
JetDirect-enabled HP printer was detected.
User confusion and comedy, mostly.
The HP JetDirect printers allow remote machines to change the message
that is displayed on the LCD panel.
As part of an attempt to confuse and annoy users, an attacker may
attempt to change the previously mentioned message.
Ease of Attack:
Relatively simple. All that is required is a way to connect to the
JetDirect port of the victim printer and a minimal knowledge of how
JedDirect works. A telnet/nc client would suit the job well, but
there are also many featureful programs that'll allow you to
accomplish the same ends.
This rule will get triggered everytime a legitimate print job is
executed and the display is updated.
Update to the latest JetDirect, and investigate the possibility of
restricting access to a central print-server using the "allow: <ip>
<netmask>" directive in a printer config file.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs